Gen.Variant.MSILDownloader.1_a2d2e1cc1e
Gen:Variant.MSILDownloader.1 (BitDefender), HEUR:Trojan-Spy.MSIL.Agent.gen (Kaspersky), Trojan.Hosts.44827 (DrWeb), Gen:Variant.MSILDownloader.1 (B) (Emsisoft), Artemis!A2D2E1CC1ED2 (McAfee), Trojan.Gen.2 (Symantec), Gen:Variant.MSILDownloader.1 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R002C0OFC18 (TrendMicro), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Spy, Trojan, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Requires JavaScript enabled! |
---|
MD5: a2d2e1cc1ed29bad211833f9cab40dda
SHA1: 7552c36d69dbd28dbbdfc06277213d2415eee72a
SHA256: 4d4f4a107d2de94e00016f28debc0088194ac3da0c881ea6994db03097b04127
SSDeep: 12288:egkfPcISkEPV5zJFIysBq4RCqZ61sAbN5a1ZlnAsXnskXhr6s9XKkA96rwAFDSt9:zAcIS9PwC3AZNA0BXhrXkIlB7wuQ
Size: 1701888 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2018-06-10 02:01:38
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan-Spy. Spy program intended for stealing user's confidential data.
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
GoogleUpdate.exe:2428
GoogleUpdate.exe:2276
GoogleUpdate.exe:3604
GoogleUpdate.exe:2348
GoogleUpdate.exe:2564
GoogleUpdate.exe:1860
GoogleUpdateSetup.exe:1080
The Trojan injects its code into the following process(es):
%original file name%.exe:3560
UI0Detect.exe:2516
UI0Detect.exe:2580
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process GoogleUpdate.exe:3604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Google\Update\Install\{DE396D46-002C-4560-9490-D50743627705}\GoogleUpdateSetup.exe (7596 bytes)
%Program Files%\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe (7547 bytes)
The Trojan deletes the following file(s):
%Program Files%\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\54.0.2840.59\54.0.2840.59_chrome_installer.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{28C25E36-1EF8-4804-B6DD-549F255A2B2E}-GoogleUpdateSetup.exe (0 bytes)
The process GoogleUpdate.exe:1860 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-CN.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_id.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_nl.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_is.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_cs.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_mr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_th.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ml.dll (95 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_am.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sk.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdate.dll (34489 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_kn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateHelper.msi (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es-419.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ms.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bg.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ko.dll (78 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_no.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler.exe (4210 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_gu.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_et.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_it.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lt.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ru.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ar.dll (86 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_iw.dll (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fa.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateSetup.exe (22576 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ta.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-PT.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ur.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lv.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_vi.dll (87 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_en.dll (45 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en-GB.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ro.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_de.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ca.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_el.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hu.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-BR.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sw.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler64.exe (6250 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-TW.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_te.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_uk.dll (88 bytes)
%Program Files%\GUM8FC0.tmp\goopdate.dll (49 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateCore.exe (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdate.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_da.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sv.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fil.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_tr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ja.dll (79 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe (1738 bytes)
%Program Files%\Google\Update\1.3.31.5 (28 bytes)
The Trojan deletes the following file(s):
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateBroker.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdate.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psuser.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sw.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psuser_64.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_es.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fil.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ms.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleCrashHandler.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_am.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateComRegisterShell64.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_bg.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_zh-TW.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_bn.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_it.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\npGoogleUpdate3.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_mr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ur.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psmachine.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_lt.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pt-PT.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ja.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_tr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sv.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ko.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ml.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_cs.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateOnDemand.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ru.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_zh-CN.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_is.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_kn.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateSetup.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pt-BR.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fa.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ta.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ro.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_no.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_uk.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_el.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleCrashHandler64.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psmachine_64.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_vi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_da.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_th.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdate.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hu.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ca.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sk.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_en-GB.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_te.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_iw.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateWebPlugin.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_et.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_en.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_id.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ar.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_de.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_nl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_lv.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateHelper.msi (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_es-419.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_gu.dll (0 bytes)
The process %original file name%.exe:3560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\drivers\etc\hosts (3 bytes)
The process GoogleUpdateSetup.exe:1080 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\GUM8FC0.tmp\GoogleUpdateSetup.exe (7547 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_mr.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\psmachine.dll (206 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sl.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_de.dll (45 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_it.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_es-419.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fi.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\psuser.dll (206 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sk.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_en-GB.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_da.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_id.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_lt.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_am.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_uk.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateOnDemand.exe (96 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_hi.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\psuser_64.dll (248 bytes)
%Program Files%\GUM8FC0.tmp\psmachine_64.dll (248 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_hu.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_el.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\GoogleCrashHandler.exe (550 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ur.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_iw.dll (40 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_kn.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateComRegisterShell64.exe (173 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_no.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_tr.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ru.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_vi.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fr.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_pt-BR.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_zh-CN.dll (36 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sw.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_bg.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_hr.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateCore.exe (838 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_is.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_pt-PT.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_gu.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_en.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_nl.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ro.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_pl.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sr.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ca.dll (44 bytes)
%Program Files%\GUT8FC1.tmp (7 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_th.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fil.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_te.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ja.dll (39 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ms.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ta.dll (45 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateWebPlugin.exe (96 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ml.dll (46 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fa.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_zh-TW.dll (36 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sv.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_lv.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdate.dll (2632 bytes)
%Program Files%\GUM8FC0.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_bn.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ko.dll (38 bytes)
%Program Files%\GUM8FC0.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_cs.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateBroker.exe (96 bytes)
%Program Files%\GUM8FC0.tmp (32 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_es.dll (45 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_et.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateHelper.msi (40 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdate.exe (308 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ar.dll (41 bytes)
The Trojan deletes the following file(s):
%Program Files%\GUM8FC0.tmp\GoogleUpdateSetup.exe (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_mr.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\psmachine.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sl.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_de.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_it.dll (0 bytes)
%Program Files%\GUM8FC0.tmp (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fi.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\psuser.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sk.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_en-GB.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_da.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_id.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_lt.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_am.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_uk.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateOnDemand.exe (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_hi.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\psuser_64.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\psmachine_64.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_hu.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_el.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\GoogleCrashHandler.exe (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ur.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_iw.dll (0 bytes)
%Program Files%\GUT8FC1.tmp (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_kn.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateComRegisterShell64.exe (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_no.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_tr.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ru.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_vi.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fr.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_pt-BR.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_zh-CN.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sw.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_bg.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_hr.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateCore.exe (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_is.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_pt-PT.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_gu.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_en.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_nl.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_es-419.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_pl.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sr.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ca.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ar.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fil.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_te.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ja.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ms.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ta.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateWebPlugin.exe (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_th.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fa.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ro.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_zh-TW.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sv.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_lv.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdate.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\npGoogleUpdate3.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_bn.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ko.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\GoogleCrashHandler64.exe (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_cs.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateBroker.exe (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_es.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ml.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateHelper.msi (0 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdate.exe (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_et.dll (0 bytes)
Registry activity
The process GoogleUpdate.exe:2428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\GoogleUpdate.Update3WebSvc\CurVer]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"
[HKCR\GoogleUpdate.Update3COMClassService]
"(Default)" = "Update3COMClass"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\GoogleUpdate.Update3COMClassService\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"
[HKCR\GoogleUpdate.CoreClass.1]
"(Default)" = "Google Update Core Class"
[HKCR\GoogleUpdate.Update3WebSvc\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"
[HKCR\GoogleUpdate.Update3COMClassService.1.0\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"
[HKCR\GoogleUpdate.Update3WebSvc.1.0\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc"
[HKCR\GoogleUpdate.Update3COMClassService.1.0]
"(Default)" = "Update3COMClass"
[HKCR\AppID\GoogleUpdate.exe]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "ServiceModule"
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"LocalService" = "gupdatem"
[HKCR\GoogleUpdate.Update3WebSvc.1.0]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\GoogleUpdate.Update3WebSvc]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "Update3COMClass"
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService"
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "Google Update Legacy On Demand"
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "ServiceModule"
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreClass"
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"ServiceParameters" = "/comsvc"
[HKCR\GoogleUpdate.CoreClass\CurVer]
"(Default)" = "GoogleUpdate.CoreClass.1"
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"
[HKCR\GoogleUpdate.CoreClass]
"(Default)" = "Google Update Core Class"
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc"
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"LocalService" = "gupdate"
[HKCR\GoogleUpdate.CoreClass.1\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"
[HKCR\GoogleUpdate.Update3COMClassService\CurVer]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
"(Default)" = "GoogleUpdate.CoreClass.1"
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"(Default)" = "Google Update Core Class"
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"ServiceParameters" = "/comsvc"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"
[HKCR\GoogleUpdate.CoreClass\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
[HKCR\AppID\GoogleUpdate.exe]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"
The process GoogleUpdate.exe:2276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"
The process GoogleUpdate.exe:3604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"RollCallDayStartSec" = "1529391604"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"pv" = "54.0.2840.59"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"StateValue" = "3"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastRollCall" = "4187"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince" = "Type: REG_QWORD, Length: 8"
[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "0"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"DayOfLastRollCall" = "4187"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount" = "1"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ActivePingDayStartSec" = "1529391604"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"StateValue" = "16"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"DayOfLastActivity" = "4187"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Hint" = ""
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"StateValue" = "16"
[HKLM\SOFTWARE\Google\Update\PersistedPings\{86761C6E-422F-4028-98C4-6C1C93DB274D}]
"PersistedPingTime" = "131739454210074299"
"PersistedPingString" = "
[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Hint" = ""
[HKLM\SOFTWARE\Google\Update\PersistedPings\{C3174DA0-6EBA-4BDF-8DB6-4E35B7D6CDAE}]
"PersistedPingString" = "
[HKCU\Software\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr" = "0"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallTimeRemainingMs" = "0"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"DayOfLastRollCall" = "4187"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallProgressPercent" = "100"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"RollCallDayStartSec" = "1529391604"
"ping_freshness" = "{CB034849-EBEC-47F7-8998-F2ABC84F8CDE}"
[HKLM\SOFTWARE\Google\Update]
"LastChecked" = "1529471828"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"(Default)" = "1:b8:"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"pv" = "54.0.2840.59"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.31.5"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Name" = "Stable"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ping_freshness" = "{009DFB2D-DA35-4DD7-A67C-6E7343845DFA}"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ActivePingDayStartSec" = "1529391604"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Google\Update\PersistedPings\{C3174DA0-6EBA-4BDF-8DB6-4E35B7D6CDAE}]
"PersistedPingTime" = "131739454286826433"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Name" = "Everyone Else"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastActivity" = "4187"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"ping_freshness" = "{0A42FD49-3C11-4F3B-871E-696636424042}"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"(Default)" = "1:9co:"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"DownloadProgressPercent" = "0"
"DownloadTimeRemainingMs" = "4294967295"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastCheckSuccess" = "1529471828"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"RollCallDayStartSec" = "1529391604"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{86761C6E-422F-4028-98C4-6C1C93DB274D}]
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{C3174DA0-6EBA-4BDF-8DB6-4E35B7D6CDAE}]
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerSuccessLaunchCmdLine"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableCount"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerExtraCode1"
[HKLM\SOFTWARE\Google\Update]
"old-uid"
"LastInstallerError"
"LastInstallerResultUIString"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerResult"
"LastInstallerResultUIString"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableSince"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerError"
[HKLM\SOFTWARE\Google\Update]
"uid"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"tttoken"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"tttoken"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr"
[HKLM\SOFTWARE\Google\Update]
"LastInstallerSuccessLaunchCmdLine"
"LastInstallerExtraCode1"
"LastInstallerResult"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr"
The process GoogleUpdate.exe:2348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"
[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"
[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}\InProcServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"
[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"
[HKCR\GoogleUpdate.CredentialDialogMachine.1.0\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"
[HKCR\Google.OneClickProcessLauncherMachine]
"(Default)" = "Google.OneClickProcessLauncher"
[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"
[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"
[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"
[HKCR\GoogleUpdate.Update3WebMachine\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"
[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"
[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher"
[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"
[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"
[HKCR\GoogleUpdate.CoreMachineClass.1\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine"
[HKCR\GoogleUpdate.CoreMachineClass\CurVer]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"
[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"
[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"
[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"
[HKCR\GoogleUpdate.CoreMachineClass.1]
"(Default)" = "Google Update Core Class"
[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"
[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"
[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.CoreMachineClass\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"
[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"
[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"
[HKCR\Google.OneClickProcessLauncherMachine\CurVer]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"
[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"
[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"
[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"
[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
"(Default)" = "CoCreateAsync"
[HKCR\GoogleUpdate.CoreMachineClass]
"(Default)" = "Google Update Core Class"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.CoCreateAsync\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"
[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.Update3WebMachine]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.CredentialDialogMachine.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"
[HKCR\GoogleUpdate.ProcessLauncher\CurVer]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"
[HKCR\GoogleUpdate.Update3WebMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"
[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"
[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"
[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"
[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"
[HKCR\Google.OneClickProcessLauncherMachine\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"
[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"
[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"
[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"
[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"
[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"(Default)" = "Google.OneClickProcessLauncher"
[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"
[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"
[HKCR\GoogleUpdate.Update3WebMachine.1.0\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass"
[HKCR\GoogleUpdate.CredentialDialogMachine\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"
[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine"
[HKCR\GoogleUpdate.CoCreateAsync\CurVer]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"
[HKCR\GoogleUpdate.ProcessLauncher.1.0]
"(Default)" = "Google Update Process Launcher Class"
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"
[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"
[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"
[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"
[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"
[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"
[HKCR\GoogleUpdate.Update3WebMachineFallback]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
"ThreadingModel" = "Both"
[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"
[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"
[HKCR\GoogleUpdate.CredentialDialogMachine\CurVer]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"
[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"(Default)" = "Google Update Core Class"
[HKCR\Google.OneClickProcessLauncherMachine.1.0]
"(Default)" = "Google.OneClickProcessLauncher"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.Update3WebMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"
[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync"
[HKCR\GoogleUpdate.CredentialDialogMachine]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"
[HKCR\GoogleUpdate.CoCreateAsync.1.0]
"(Default)" = "CoCreateAsync"
[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"
[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"
[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
"(Default)" = "Google Update Process Launcher Class"
[HKCR\Google.OneClickProcessLauncherMachine.1.0\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"
[HKCR\GoogleUpdate.Update3WebMachine\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"
[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"
[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.ProcessLauncher]
"(Default)" = "Google Update Process Launcher Class"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"
[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"
[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"
[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine"
[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"
[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}\InProcServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"Enabled" = "1"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"
[HKCR\GoogleUpdate.CoCreateAsync]
"(Default)" = "CoCreateAsync"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"
[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"CLSID" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"
[HKCR\GoogleUpdate.CoCreateAsync.1.0\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"
[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}]
"(Default)" = "PSFactoryBuffer"
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\GoogleUpdate.ProcessLauncher.1.0\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"
[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"
[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.Update3WebMachineFallback\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"
[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"
[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"
[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"Policy" = "3"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\GoogleUpdate.ProcessLauncher\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"
[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"
[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"
The process GoogleUpdate.exe:2564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"
The process GoogleUpdate.exe:1860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Google.Update3WebControl.3\CLSID]
"(Default)" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"
[HKCR\Google.OneClickCtrl.9]
"(Default)" = "Google Update Plugin"
[HKLM\SOFTWARE\Google\Update]
"UninstallCmdLine" = "%Program Files%\Google\Update\GoogleUpdate.exe /uninstall"
[HKCR\Google.Update3WebControl.3]
"(Default)" = "Google Update Plugin"
[HKCR\Google.OneClickCtrl.9\CLSID]
"(Default)" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"
[HKLM\SOFTWARE\Google\Update\PersistedPings\{89A6FAA6-F6B0-4A72-B8F3-5527E75894CB}]
"PersistedPingTime" = "131739454698380157"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName" = "GoogleUpdateBroker.exe"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName" = "Google Update"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath" = "%Program Files%\Google\Update\1.3.33.17"
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
"(Default)" = "Google.OneClickCtrl.9"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description" = "Google Update"
[HKLM\SOFTWARE\Google\Update]
"LastOSVersion" = "1C 01 00 00 06 00 00 00 01 00 00 00 B1 1D 00 00"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastCheckSuccess" = "1529471869"
[HKLM\SOFTWARE\Google\Update]
"Version" = "1.3.33.17"
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
"(Default)" = "Google.Update3WebControl.3"
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"(Default)" = "Google Update Plugin"
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description" = "Google Update"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"vendor" = "Google Inc."
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"(Default)" = "Google Update Plugin"
[HKLM\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.33.17"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateTime" = "1529471869"
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation" = "0"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.33.17"
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Google\Update]
"IsMSIHelperRegistered" = "0"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"vendor" = "Google Inc."
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version" = "9"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath" = "%Program Files%\Google\Update\1.3.33.17"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName" = "Google Update"
[HKLM\SOFTWARE\Google\Update\PersistedPings\{89A6FAA6-F6B0-4A72-B8F3-5527E75894CB}]
"PersistedPingString" = "
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\Google\Update\1.3.31.5,"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Version" = "3"
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName" = "GoogleUpdateWebPlugin.exe"
[HKLM\SOFTWARE\Google\Update]
"Path" = "%Program Files%\Google\Update\GoogleUpdate.exe"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"Policy" = "3"
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy" = "3"
[HKLM\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "Google Update"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains\*]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes\application/x-vnd.google.update3webcontrol.3]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
[HKCR\Google.Update3WebControl.3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKCR\Google.OneClickCtrl.9]
[HKCR\Google.Update3WebControl.3\CLSID]
[HKCR\Google.OneClickCtrl.9\CLSID]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains\*]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{89A6FAA6-F6B0-4A72-B8F3-5527E75894CB}]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"
[HKLM\SOFTWARE\Google\Update]
"LastCodeRedCheck"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath"
[HKLM\SOFTWARE\Google\Update]
"old-uid"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path"
[HKLM\SOFTWARE\Google\Update]
"eulaaccepted"
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Vendor"
[HKLM\SOFTWARE\Google\Update]
"uid"
"LastChecked"
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID"
[HKLM\SOFTWARE\Google\Update]
"ui"
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Vendor"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName"
"Version"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName"
"Policy"
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy"
[HKLM\SOFTWARE\Google\Update]
"mi"
The process %original file name%.exe:3560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
Dropped PE files
MD5 | File path |
---|---|
6c718849d436a7ccebed72538f8bd04b | c:\Program Files\Google\Update\1.3.33.17\GoogleCrashHandler.exe |
d2f56e366f1cb26866a6f43bd53b46c3 | c:\Program Files\Google\Update\1.3.33.17\GoogleCrashHandler64.exe |
92ee791a630830452485e8e375f8db35 | c:\Program Files\Google\Update\1.3.33.17\GoogleUpdate.exe |
8171211b809414b6d8a8e4f6ea8cf140 | c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateBroker.exe |
03b587bfaf6dd67b330ccb6fb99ca59a | c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe |
678dd73ca364411bcf431892b8f878da | c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateCore.exe |
96e08eb0d929c279536bdbbc543da8fb | c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe |
53baee50f7a69bf3bc0fffe25341a923 | c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateSetup.exe |
063ca1017835923689c4957562ea2862 | c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe |
463a426da94fc2418a713ceebb799e22 | c:\Program Files\Google\Update\1.3.33.17\goopdate.dll |
e433408ca45786f9b6b7873709f57eba | c:\Program Files\Google\Update\1.3.33.17\goopdateres_am.dll |
9d85c8517de4db2380aa14593d8a899a | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ar.dll |
f376765117f5b82123ec1f4fd352fb9c | c:\Program Files\Google\Update\1.3.33.17\goopdateres_bg.dll |
4a5e2fac15b93b43a2ee673e2e111478 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_bn.dll |
230fe7b526bde7aff33b616618a8d05a | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ca.dll |
9b598c6a4d3d9586f93feca20f51da70 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_cs.dll |
b1bd2d1889f42f20aeac5f1998d8b21b | c:\Program Files\Google\Update\1.3.33.17\goopdateres_da.dll |
e5ea4068551b3ac782d955a699222067 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_de.dll |
68cf3b8fef6b56cd583e8c30ae8ca563 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_el.dll |
2087af32c82c00e32094ae86dcf35607 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_en-GB.dll |
9c2a3eec41cd4effd6ffecaa910dd7da | c:\Program Files\Google\Update\1.3.33.17\goopdateres_en.dll |
7c7c2b897c7107e910eab8b669c93738 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_es-419.dll |
73ccbf92e13acc6389bb9f7dd04935b6 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_es.dll |
a2cb2c0b126c87336bc2b29a3e995dc5 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_et.dll |
1d688c7571f047a36b585d810e02067f | c:\Program Files\Google\Update\1.3.33.17\goopdateres_fa.dll |
81f8d0fbff693910fedc808047cdf156 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_fi.dll |
6cec555d88a69bdb910188c2b53b19a3 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_fil.dll |
598294ce0043943aa4cc04edc139e6c8 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_fr.dll |
7d3a8a7aec219fcbecacd04f1ad66053 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_gu.dll |
0a9a7354a95c559a4093f24fff784911 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_hi.dll |
de931037c2f487efa900aa6590cac9e0 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_hr.dll |
456664b46a1948b0df8785bd5b87f858 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_hu.dll |
43a73db8674c025026ed4cad9359a574 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_id.dll |
5e609c7d0ab38fa244949da75da04a1b | c:\Program Files\Google\Update\1.3.33.17\goopdateres_is.dll |
d002a3352574a6e6999a6f2c23566745 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_it.dll |
ffef2d63908222cacee0e40c138d5986 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_iw.dll |
b71ff4a60875f30db7e492d4806f0c92 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ja.dll |
c6a1c2e334df66970a03b30539757f36 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_kn.dll |
fb58fffc04f44137610caae567cfaf6a | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ko.dll |
3b033e1092474acd6b7cfcf01a999d34 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_lt.dll |
3b00a99d877881ba0fc786fdd8e3b426 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_lv.dll |
157bf7b8eca4bc66d5c7fb3e358d5c58 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ml.dll |
7c864e8d77ebe0bc8451ade4f67f68b3 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_mr.dll |
225c45af996ebf983800025ea32f6c18 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ms.dll |
2b04cd187acac2019e13195a3cc53a31 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_nl.dll |
38651bcc330768d3e74763452a8e46e2 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_no.dll |
531e1fca96b1cc6dfbb74c2e96d990c7 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_pl.dll |
237642b8bddfe765e073a3aa6c29ca0a | c:\Program Files\Google\Update\1.3.33.17\goopdateres_pt-BR.dll |
298f4f2bd4e7b962615bcf0ed3d673ca | c:\Program Files\Google\Update\1.3.33.17\goopdateres_pt-PT.dll |
ea1ef744fb8ba02148b362adeac70952 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ro.dll |
774b5644ad40e4d3863d81a7d30d4fae | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ru.dll |
6ffd62c9d080288bcc95816afd018048 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_sk.dll |
d7b41237faca93b3d0666e4fd38092b8 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_sl.dll |
25bbd03fc02f7daa9168dce7dfaef624 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_sr.dll |
e645c5eb4401b5e443a9744fc141b2f5 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_sv.dll |
2f111d7785bfcd6b4228df0cdf353407 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_sw.dll |
8bb63ae799037b02a89c42408abf755a | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ta.dll |
2f40316ac456b383c58be478daf69ce9 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_te.dll |
cdc5e8fdba12f79c056bcf3085335ac5 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_th.dll |
811ac46d616f94ae885175863e0ce95d | c:\Program Files\Google\Update\1.3.33.17\goopdateres_tr.dll |
23725511dd277f08993bbfbaf27123c1 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_uk.dll |
3edc8f630a94d57674097194540a9f6a | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ur.dll |
baff2a81498cb67c560d443e96153060 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_vi.dll |
6c2d04d599eb5b4549653d030d9d6550 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_zh-CN.dll |
f66719fb333de285e6edd1fd20e0edf8 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_zh-TW.dll |
671e1e25f6f08809863bb9aed544e70e | c:\Program Files\Google\Update\1.3.33.17\npGoogleUpdate3.dll |
cca7a6b6c2bce1e8af12a95f69c4cc8f | c:\Program Files\Google\Update\1.3.33.17\psmachine.dll |
edad26bca1696d23ecb9dc3ab48fd551 | c:\Program Files\Google\Update\1.3.33.17\psmachine_64.dll |
c2762290bb2ece339d4c63f7a8a6acc8 | c:\Program Files\Google\Update\1.3.33.17\psuser.dll |
58b48e4352559d4d76776377fde5df0c | c:\Program Files\Google\Update\1.3.33.17\psuser_64.dll |
53baee50f7a69bf3bc0fffe25341a923 | c:\Program Files\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe |
53baee50f7a69bf3bc0fffe25341a923 | c:\Program Files\Google\Update\Install\{DE396D46-002C-4560-9490-D50743627705}\GoogleUpdateSetup.exe |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 3039 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | hilebol.online |
127.0.0.1 | www.hilebol.online |
127.0.0.1 | hilebol.online/ |
127.0.0.1 | www.hilebol.online/ |
127.0.0.1 | https://hilebol.online/ |
127.0.0.1 | https://hilebol.online |
127.0.0.1 | link.tl |
127.0.0.1 | www.link.tl |
127.0.0.1 | link.tl/ |
127.0.0.1 | www.link.tl/ |
127.0.0.1 | https://link.tl/ |
127.0.0.1 | https://link.tl |
127.0.0.1 | tr.link |
127.0.0.1 | www.tr.link |
127.0.0.1 | tr.link/ |
127.0.0.1 | www.tr.link/ |
127.0.0.1 | https://tr.link/ |
127.0.0.1 | https://tr.link |
127.0.0.1 | pnd.tl |
127.0.0.1 | www.pnd.tl |
127.0.0.1 | pnd.tl/ |
127.0.0.1 | www.pnd.tl/ |
127.0.0.1 | https://www.pnd.tl/ |
127.0.0.1 | https://pnd.tl |
127.0.0.1 | memoryhackers.net |
127.0.0.1 | www.memoryhackers.net |
127.0.0.1 | memoryhackers.net/ |
127.0.0.1 | www.memoryhackers.net/ |
127.0.0.1 | https://basetarama.blogspot.com.tr/ |
127.0.0.1 | https://basetarama.blogspot.com.tr |
127.0.0.1 | www.basetarama.blogspot.com.tr/ |
127.0.0.1 | www.basetarama.blogspot.com.tr |
127.0.0.1 | basetarama.blogspot.com |
127.0.0.1 | basetarama.blogspot.com/ |
127.0.0.1 | www.basetarama.blogspot.com |
127.0.0.1 | www.basetarama.blogspot.com/ |
127.0.0.1 | https://www.hileplus.com/ |
127.0.0.1 | www.hileplus.com |
127.0.0.1 | www.hileplus.com/ |
127.0.0.1 | https://www.hileplus.com |
127.0.0.1 | hileplus.com/ |
127.0.0.1 | hileplus.com/ |
127.0.0.1 | http://www.hilenbizde.com/ |
127.0.0.1 | http://www.hilenbizde.com |
127.0.0.1 | www.hilenbizde.com |
127.0.0.1 | www.hilenbizde.com/ |
127.0.0.1 | hilenbizde.com |
127.0.0.1 | hilenbizde.com/ |
127.0.0.1 | http://www.guncelhileindir.net |
127.0.0.1 | http://www.guncelhileindir.net/ |
127.0.0.1 | guncelhileindir.net |
127.0.0.1 | guncelhileindir.net/ |
127.0.0.1 | www.guncelhileindir.net |
127.0.0.1 | www.guncelhileindir.net/ |
127.0.0.1 | https://baksen.org |
127.0.0.1 | https://baksen.org/ |
127.0.0.1 | baksen.org |
127.0.0.1 | baksen.org/ |
127.0.0.1 | www.baksen.org |
127.0.0.1 | www.baksen.org/ |
127.0.0.1 | http://oyunhilecik.com |
127.0.0.1 | http://oyunhilecik.com/ |
127.0.0.1 | oyunhilecik.com |
127.0.0.1 | oyunhilecik.com/ |
127.0.0.1 | www.oyunhilecik.com |
127.0.0.1 | www.oyunhilecik.com/ |
127.0.0.1 | http://www.guncelhileindir.net |
127.0.0.1 | http://www.guncelhileindir.net/ |
127.0.0.1 | guncelhileindir.net |
127.0.0.1 | guncelhileindir.net/ |
127.0.0.1 | www.guncelhileindir.net |
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: nvidia
Product Name: nvidia
Product Version: 1.0.0.0
Legal Copyright: Copyright (c) 2018
Legal Trademarks: nvidia
Original Filename: Tanilama Sorun Giderme Sihirbazi.exe
Internal Name: Tanilama Sorun Giderme Sihirbazi.exe
File Version: 1.0.0.0
File Description: nvidia
Comments: nvidia
Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 8192 | 1684548 | 1684992 | 4.04728 | 5bd1d1e5c64a253622ff4432b0651c2c |
.rsrc | 1695744 | 15368 | 15872 | 2.90165 | d0754f113e382b10c2bbb3ce4629b5df |
.reloc | 1712128 | 12 | 512 | 0.070639 | 35afd37a619a37217246995b49e75eeb |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
URL | IP |
---|---|
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8= | |
hxxp://tools.l.google.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe | |
hxxp://r5.sn-q5u5bgv02-3c2z.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe?cms_redirect=yes&mip=77.222.144.250&mm=28&mn=sn-q5u5bgv02-3c2z&ms=nvh&mt=1529471712&mv=m&pcm2cms=yes&pl=24&shardbypass=yes | |
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEAs8O2AaGPWe4ra7BWBe8sA= | |
hxxp://cs9.wac.phicdn.net/sha2-ha-server-g6.crl | |
hxxp://rvip1.ue.cachefly.net/sha2-ha-server-g6.crl | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/tspca.crl | |
hxxp://cs9.wpc.v0cdn.net/IE9CompatViewList.xml | |
hxxp://r5---sn-q5u5bgv02-3c2z.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe?cms_redirect=yes&mip=77.222.144.250&mm=28&mn=sn-q5u5bgv02-3c2z&ms=nvh&mt=1529471712&mv=m&pcm2cms=yes&pl=24&shardbypass=yes | 80.91.179.80 |
hxxp://crl4.digicert.com/sha2-ha-server-g6.crl | 66.225.197.197 |
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEAs8O2AaGPWe4ra7BWBe8sA= | 93.184.220.29 |
hxxp://crl.microsoft.com/pki/crl/products/tspca.crl | 77.222.148.96 |
hxxp://crl3.digicert.com/sha2-ha-server-g6.crl | 93.184.220.29 |
hxxp://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml | 152.199.19.161 |
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8= | 93.184.220.29 |
hxxp://redirector.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe | 172.217.21.206 |
tools.google.com | 172.217.21.206 |
update.googleapis.com | 172.217.21.195 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
ET POLICY PE EXE or DLL Windows file download HTTP
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
GoogleUpdate.exe:2428
GoogleUpdate.exe:2276
GoogleUpdate.exe:3604
GoogleUpdate.exe:2348
GoogleUpdate.exe:2564
GoogleUpdate.exe:1860
GoogleUpdateSetup.exe:1080 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\Google\Update\Install\{DE396D46-002C-4560-9490-D50743627705}\GoogleUpdateSetup.exe (7596 bytes)
%Program Files%\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe (7547 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-CN.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_id.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_nl.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_is.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_cs.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_mr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_th.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ml.dll (95 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_am.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sk.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdate.dll (34489 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_kn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateHelper.msi (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es-419.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ms.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bg.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ko.dll (78 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_no.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler.exe (4210 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_gu.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_et.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_it.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lt.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ru.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ar.dll (86 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_iw.dll (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fa.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateSetup.exe (22576 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ta.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-PT.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ur.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lv.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_vi.dll (87 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_en.dll (45 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en-GB.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ro.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_de.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ca.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_el.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hu.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-BR.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sw.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler64.exe (6250 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-TW.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_te.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_uk.dll (88 bytes)
%Program Files%\GUM8FC0.tmp\goopdate.dll (49 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateCore.exe (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdate.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_da.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sv.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fil.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_tr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ja.dll (79 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe (1738 bytes)
%Program Files%\Google\Update\1.3.31.5 (28 bytes)
C:\Windows\System32\drivers\etc\hosts (3 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateSetup.exe (7547 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_mr.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\psmachine.dll (206 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sl.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_de.dll (45 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_it.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_es-419.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fi.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\psuser.dll (206 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sk.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_en-GB.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_da.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_id.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_lt.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_am.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_uk.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateOnDemand.exe (96 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_hi.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\psuser_64.dll (248 bytes)
%Program Files%\GUM8FC0.tmp\psmachine_64.dll (248 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_hu.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_el.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\GoogleCrashHandler.exe (550 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ur.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_iw.dll (40 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_kn.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateComRegisterShell64.exe (173 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_no.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_tr.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ru.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_vi.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fr.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_pt-BR.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_zh-CN.dll (36 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sw.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_bg.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_hr.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateCore.exe (838 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_is.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_pt-PT.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_gu.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_nl.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ro.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_pl.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sr.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ca.dll (44 bytes)
%Program Files%\GUT8FC1.tmp (7 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_th.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fil.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_te.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ja.dll (39 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ms.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ta.dll (45 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateWebPlugin.exe (96 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ml.dll (46 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fa.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_zh-TW.dll (36 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sv.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_lv.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_bn.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ko.dll (38 bytes)
%Program Files%\GUM8FC0.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_cs.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateBroker.exe (96 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_es.dll (45 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_et.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateHelper.msi (40 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdate.exe (308 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ar.dll (41 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.